Getting Data In

How to stop access to Port 8089 in Splunk or change password on Universal Forwarder?

Explorer

On all the Universal Forwarders, any user has the ability to access REST API called Splunk ATOM Feed:Splunkd. They can access this on any Universal Forwarder by putting in https:localhost:8089 or loopback 127.0.0.1:8089. I am trying to disable this feature or at the very least change the default password. The research that I’ve done informed me that this is not being used since we are not running a deployment server and we currently don’t have plans to use one in the future. The interface itself seems to be locked down and you can’t make any changes to it just view.

1 Solution

Explorer

I contacted Splunk Engineering and the best way is disable port 8089 is

Go to: c:/splunkforwarder/etc/system/local/server.conf
Add: [httpServer]
disableDefaultPort=true

Restart: splunkforwarder in services

View solution in original post

0 Karma

Explorer

I contacted Splunk Engineering and the best way is disable port 8089 is

Go to: c:/splunkforwarder/etc/system/local/server.conf
Add: [httpServer]
disableDefaultPort=true

Restart: splunkforwarder in services

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

You can change the password for UF (and HF) from the cli very easily, via :

 ./splunk edit user admin -password newpassword -role admin -auth admin:changeme

This changes the password to 'newpassword'.

You can run this via installation scripts, or post-installation.

As for access to localhost:8089, best practice would be to use a localhost based firewall to restrict access to 8089 from outside of the box. ( Iptables, ipfw etc..)

0 Karma

Contributor

You can change the default password by putting in a different 'passwd' file. But you have to do it @installation time, this van never be pushed with a deployment server.

0 Karma